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BUSINESS PRIVACY IN THE ELECTRONIC MARKETPLACE 

FIELD OF THE INVENTION 

The present invention relates generally to electronic 
5 commerce, and specifically to maintaining privacy of 
information in electronic transactions. 

BACKGROUND OF THE INVENTION 

Traditionally, the protection and disclosure of business 

10 information belongs to the domain of confidentiality. 
Corporations commonly define certain internal information as 
being confidential and develop policies to prevent disclosure 
of the information to unauthorized parties. When there is a 
need to disclose confidential information to an outside party, 

15 it is typically subject to a confidential disclosure agreement 
(CDA) , negotiated in a paperwork business process on a 
case-by-case basis. 

Although most business-to-business interactions are not 
subject to such strict restrictions on information exchange, 

20 there is still a great deal of intelligence that can be 
gleaned from these exchanges . A simple product inquiry or 
purchase order, for example, can reveal sensitive information 
that many businesses would like to keep private. While 
disclosure of such private information between the partners to 

25 the transaction is generally unavoidable, businesses (as well 
as individuals) may seek to restrict the subsequent use or 
distribution of this information by the transaction partner. 

Maintaining privacy of business information is' a 
particularly acute problem in the context of the electronic 

30 marketplace. Increasing numbers of businesses, as well as 
consumers, buy and sell goods and services over the Internet. 
Web sites that serve as "marketplaces," which enable buyers to 
search and compare prices and terms among multiple vendors, 
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are rapidly growing in popularity. Any user of such a Web 
site exposes a range of his or her private information 
including name, address, Web surfing habits, financial 
information, purchasing needs and deals that may be in 
5 progress. Both the marketplace and vendors can use this 
information for business intelligence analysis. The results 
of the analysis can be used for targeted telemarketing and can 
also be sold to third parties. Consumers may be bothered by 
subsequent junk mail sent to them as a result of such analysis 
10 and resale of information. For businesses, however, 

unrestricted distribution of this private information can have 
more serious consequences, particularly if it falls into the 
hands of competitors or of other businesses with whom they are 
in negotiations . 

15 In response to the need to protect private information, 

electronic marketplaces and other Web sites have begun to 
establish and post their own privacy policies. Visitors to 
such sites are invited to check the privacy policies upon 
entering the site, in order to know in advance how the private 

20 information that they disclose will be treated. To facilitate 
this process, the World Wide Web Consortium has undertaken the 
Platform for Privacy Preferences Project (P3P) , which is 
described at www.w3.org/P3P. P3P is envisioned as an industry 
standard for providing a simple, automated way for users to 

25 gain more control over the use of personal information on Web 
sites they visit. It provides a standardized set of 
multiple-choice questions, covering major aspects of a Web 
site's privacy policies, in order to give a ''snapshot" of how 
a site handles personal information about its users. 

30 P3P-enabled Web sites make this information available in a 
standard, machine-readable format. P3P-enabled browsers can 
read this snapshot automatically and compare it to the 
consumer's own set of privacy preferences. If there is a 
mismatch between the site's privacy policy and the user's 

35 preferences, the user then has the option of not conducting 
further business with the site. 
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SUMMARY OF THE INVENTION 

5 From the point of view of businesses seeking to buy and 

sell items of goods and services in the electronic 
marketplace, the tools that are currently available for 
protecting private information are inadequate. The privacy 
policies posted by electronic marketplaces and other Web sites 

10 are inflexible, requiring customers to make an 
"all-or-nothing" decision as to whether to accept or reject 
the posted policy before even making an inquiry. (At best, a 
customer may select a check box on screen to ask to be left 
off future mailing lists.) Examples of the inflexibility of 

15 current privacy approaches include the following: 

• There is no provision in such privacy policies to allow 
the customer to make a staged disclosure as a transaction 
progress, starting with an anonymous inquiry, for example, 
followed by submission of purchase information when the 

20 customer actually decides to make a purchase. 

• There is no possibility of negotiating terms of privacy 
protection, except by the conventional CDA route, or of 
providing different preferences among which the customer may 
choose. 

25 • While an electronic marketplace may post and abide by its 
own privacy policy, vendors offering items through the 
marketplace may have their own privacy policies that are 
incompatible with that of the marketplace, or they may have no 
such policies at all. 

30 Preferred embodiments of the present invention provide a 

flexible framework in which parties doing business in an 
electronic commerce setting can automatically negotiate the 
terms of privacy protection to be provided, by matching 
privacy criteria that the parties have defined in advance. 

35 This framework is useful particularly in business -to-business 
(B2B) interactions, and especially in interactions carried out 
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through an intermediary electronic marketplace or portal. 
More generally, however, the principles of the present 
invention are applicable to substantially any type of 
electronic commerce setting, including business-to- consumer 
5 (B2C) and mixed B2C/B2B settings. 

In some preferred embodiments of the present invention, 
an electronic marketplace serves as a broker of private 
information between a buyer and one or more sellers . Upon 
logging into the marketplace, the buyer is preferably prompted 

10 to select a default privacy policy, typically from among a 
number of alternative policies offered by the marketplace. 
Alternatively, the buyer may input his or her own privacy 
preferences, preferably based on a standard form or language 
for recording privacy preferences and choices, such as an 

15 extension of the above-mentioned P3P standard. 

The preferences specified by the buyer indicate which 
private information may be disclosed to the marketplace, and 
which may be disclosed to the sellers, and at what stages of 
the planned transaction. The preferences also specify the 

20 uses to which the marketplace and sellers may put the private 
information. Some of the private information may be 

encrypted, so that the marketplace can pass it through to a 
selected seller but cannot access the information itself. 
Preferably, the privacy preferences defined by the buyer 

25 and/or by the marketplace include alternative positions and/or 
flexible, logical guidelines, so that a mutually-acceptable 
policy can be negotiated automatically if there is a mismatch 
between the preferences that are specified initially. 

After the buyer and marketplace have agreed on the 

30 privacy policy, the buyer submits a query or purchase order to 
the marketplace for a desired item of goods or services. The 
marketplace then finds one or more sellers offering the 
desired item and attempts to match the privacy policy agreed 
upon with the buyer to the sellers' proposed privacy policies. 

35 At this stage, too, the policies proposed by the sellers 
preferably include alternative or fallback positions, so that 
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the marketplace can automatically negotiate a final policy 
acceptable to all of the parties. Only then is the buyer's 
information passed to the seller, who decrypts the information 
if necessary and fills the order. Optionally, if indicated by 
5 the agreed-upon policy, the buyer's private information is 
passed to the seller in stages, as the transaction progresses. 
Upon completion of the transaction, the marketplace and seller 
are entitled to record, analyze, use and distribute the 
buyer's private information and buying behavior only to the 

10 extent allowed by the agreed-upon policy. 

There is therefore provided, in accordance with a 
preferred embodiment of the present invention, a method for 
controlling an exchange of information between a first party 
and a second party, including: 

15 receiving from the first party a set of one or more 

privacy preferences, indicating restrictions to be placed on 
use of specified items of the information to be disclosed by 
the first party; 

receiving from the second party a description of a 

20 privacy policy, indicating undertakings by the second party 
with regard to restricting the use of the specified items of 
the information; 

assessing compatibility of the privacy preferences with 
the privacy policy; 

25 if the privacy preferences and the privacy policy are 

found to be incompatible, brokering a negotiation with at 
least one of the first and the second parties so as to bring 
the privacy preferences and the privacy policy into mutual 
compatibility; and 

30 providing the information from the first party to the 

second party only when the privacy preferences and the privacy 
policy are found to be compatible. 

Preferably, the restrictions indicated by the set of 
privacy preferences include restrictions on disclosure of the 

35 specified items of the information to third parties. 
Alternatively or additionally; the restrictions indicated by 
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the set of privacy preferences include restrictions * on 
analysis of the information and/or a description of a 
condition subject to which the first party will permit one of 
the specified items to be used by the second party. 
5 Preferably, the first and second parties exchange the 

information via a computer network, and receiving the privacy 
preferences and the privacy policy includes receiving the 
preferences and the policy via the network. Additionally or 
alternatively, the second party is one of a plurality of 

10 parties eligible to receive the information, and assessing the 
compatibility of the privacy preferences includes selecting 
the second party from among the plurality of eligible parties 
responsive to the compatibility of the privacy preferences 
with the privacy policy of the second party. 

15 Preferably, providing the information includes conducting 

a transaction between the first and second parties based on 
the information, wherein the transaction is conducted in a 
sequence of stages, and wherein providing the information 
includes providing different ones of the specified items at 

20 each of two or more different stages of the transaction, in a 
manner specified by the set of privacy preferences. 
Additionally or alternatively, conducting the transaction 
includes submitting a purchase order containing the 
information from the first party to the second party, 

25 whereupon the second party fills the purchase order. 

Further preferably, providing the information includes 
passing the information through an intermediary, which 
recedves the privacy preferences and the privacy policy and 
brokers the negotiation if the privacy preferences and the 

30 privacy policy are found to be incompatible. Preferably, the 
intermediary includes an electronic marketplace, which is 
accessed by the first and second parties via a computer 
network. Additionally or alternatively, assessing the 

compatibility of the privacy preferences with the privacy 

35 policy includes establishing an intermediary privacy policy, 
responsive to the privacy preferences, subject to which the 
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first party is to communicate with the intermediary, and 
assessing the compatibility of the intermediary privacy policy 
with the privacy policy of the second party. Most 
preferably, providing the information includes conveying the 
5 information via the intermediary, wherein a portion of the 
information is provided in an encrypted form, in accordance 
with the privacy preferences, for decryption only by the 
second party and not by the intermediary. 

There is also provided, in accordance with a preferred 
10 embodiment of the present invention, a method for electronic 
commerce , including : 

establishing a privacy policy restricting use of 
information to be revealed by a buyer to an electronic 
marketplace in connection with a transaction to be carried out 
15 by the buyer through the marketplace; 

subject to the privacy policy, receiving the information 
from the buyer, including a description of an item desired to 
be procured for the buyer; 

locating a seller in communication with the marketplace 
20 offering the item; 

receiving from the seller an undertaking to restrict the 
use of the information in accordance with the privacy policy; 
and 

providing the information to the seller, subject to the 
25 undertaking, responsive to which information the seller 
conveys the item to the buyer. 

In a preferred embodiment, receiving the information 
includes tracking and analyzing behavior of the buyer while 
the buyer is visiting the marketplace in order to derive 
30 purchase behavior data regarding the buyer, and including 
limiting use of the data in accordance with a restriction 
imposed by the privacy policy. 

There is additionally provided, in accordance with a 
preferred embodiment of the present invention, apparatus for 
35 controlling an exchange of information between a first party 
and a second party, including an information exchange server, 
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arranged to receive from the first party a set of one or more 
privacy preferences, indicating restrictions to be placed on 
use of specified items of the information to be disclosed by 
the first party, and to receive from the second party a 
5 description of a privacy policy, indicating undertakings by 
the second party with regard to restricting the use of the 
specified items of the information, and to assess 
compatibility of the privacy preferences with the privacy 
policy, such that if the privacy preferences and the privacy 

10 policy are found to be incompatible, the server brokers a 
negotiation with at least one of the first and the second 
parties so as to bring the privacy preferences and the privacy 
policy into mutual compatibility, and to convey the 
information from the first party to the second party only when 

15 the privacy preferences and the privacy policy are found to be 
compatible. 

There is further provided, in accordance with a preferred 
embodiment of the present invention, apparatus for maintaining 
an electronic marketplace, including an electronic commerce 

20 server arranged to establish a privacy policy restricting use 
of information to be revealed by a buyer to the server in 
connection with a transaction to be carried out by the buyer 
through the server and, subject to the privacy policy, to 
receive the information from the buyer, including a 

25 description of an item desired to be procured for the buyer, 
to locate a seller in communication with the marketplace 
offering the item, to receive from the seller an undertaking 
to restrict the use of the information in accordance with the 
privacy policy, and to provide the information to the seller, 

30 subject to the undertaking, responsive to which information 
the seller conveys the item to the buyer. 

There is moreover provided, in accordance with a 
preferred embodiment of the present invention, a system for 
controlling an exchange of information, including: 

35 a first computer, provided with a set of one or more 

privacy preferences, indicating restrictions to be placed on 
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use of specified items of the information to be disclosed by 
the first party; 

a second computer, provided with a description of a 
privacy policy, indicating undertakings by the second party 
5 with regard to restricting the use of the specified items of 
the information; and 

an information exchange server, coupled to communicate 
with the first and second computers via a computer network, 
and arranged to assess compatibility of the privacy 
10 preferences with the privacy policy, such that if the privacy 
preferences and the privacy policy are found to be 
incompatible, the server brokers a negotiation with at least 
one of the first and the second parties so as to bring the 
privacy preferences and the privacy policy into mutual 
15 compatibility, and further arranged to provide the information 
from the first party to the second party only when the privacy 
preferences and the privacy policy are found to be compatible. 

There is furthermore provided, in accordance with a 
preferred embodiment of the present invention, a system for 
20 electronic commerce, including: 

a buyer computer, operated by a buyer; 

one or more seller computers, operated by respective 
sellers; and 

an electronic commerce server coupled to communicate with 
25 the buyer and seller computers via a computer network, and 
arranged to establish a privacy policy restricting use of 
information to be revealed by the buyer computer to the server 
in connection with a transaction to be carried out by the 
buyer computer through the server and, subject to the privacy 
30 policy, to receive the information from the buyer computer, 
including a description of an item desired to be procured for 
the buyer, to identify one of the seller computers making an 
offer to supply the item, to receive from the seller computer 
an undertaking to restrict the use of the information in 
35 accordance with the privacy policy, and to provide the 
information to the seller computer, subject to the 
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undertaking, responsive to which information the respective 
seller conveys the item to the buyer . 

There is additionally provided, in accordance with a 
preferred embodiment of the present invention, a computer 
5 software product for controlling an exchange of information 
between a first party and a second party, the product 
including a computer-readable medium in which program 
instructions are stored, which instructions, when read by a 
computer, cause the computer to receive from the first party a 

10 set of one or more privacy preferences, indicating 
restrictions to be placed on use of specified items of the 
information to be disclosed by the first party, and to receive 
from the second party a description of a privacy policy, 
indicating undertakings by the second party with regard to 

15 restricting the use of the specified items of the information, 
and to assess compatibility of the privacy preferences with 
the privacy policy, and if the privacy preferences and the 
privacy policy are found to be incompatible, to broker a 
negotiation with at least one of the first and the second 

20 parties so as to bring the privacy preferences and the privacy 
policy into mutual compatibility, and to provide the 
information from the first party to the second party only when 
the privacy preferences and the privacy policy are found to be 
compatible . 

25 There is still further provided, in accordance with a 

preferred embodiment of the present invention, a computer 
software product for electronic commerce, the product 
including a computer-readable medium in which program 
instructions are stored, which instructions, when read by a 

30 computer, cause the computer to establish a privacy policy 
restricting use of information to be revealed by a buyer to an 
electronic marketplace in connection with a transaction to be 
carried out by the buyer through the marketplace, and subject 
to the privacy policy, to receive the information from the 

35 buyer, including a description of an item desired to be 
procured from the buyer, and to locate a seller in 



WO 02/21789 



- 11 - 



PCT/IB01/01577 



communication with the marketplace offering the item, and to 
receive from the seller an undertaking to restrict the use of 
the information in accordance with the privacy policy, and to 
provide the information to the seller, subject to the 
5 undertaking, responsive to which information the seller 
conveys the item to the buyer. 

The present invention will be more fully understood from 
the following detailed description of the preferred 
embodiments thereof, taken together with the drawings. 

10 

BRIEF DESCRIPTION OF THE DRAWINGS 

Fig. 1 is a schematic, pictorial illustration of a system 

15 for electronic commerce, in accordance with a preferred 
embodiment of the present invention; 

Fig. 2 is a flow chart that schematically illustrates a 
method for carrying out an electronic transaction subject to a 
privacy policy negotiated among the parties to the 

20 transaction, in accordance with a preferred embodiment of the 
present invention; 

Fig. 3 is a flow chart that schematically illustrates a 
method for negotiating a privacy policy between a buyer and an 
electronic marketplace, in accordance with a preferred 

25 embodiment of the present invention; 

Fig. 4 is a flow chart that schematically illustrates a 
method for handling private information provided by a buyer to 
an electronic marketplace, in accordance with a preferred 
embodiment of the present invention; and 

30 Fig. 5 is a flow chart that schematically illustrates a 

method for concluding an electronic transaction and for using 
private information conveyed in the course of the transaction, 
in accordance with a preferred embodiment of the present 
invention. 

35 
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DETAILED DESCRIPTION OF PREFERRED EMBODIMENTS 

Fig. 1 is a schematic, pictorial illustration showing a 
5 system 20 for electronic commerce, in accordance with a 
preferred embodiment of the present invention. A buyer 22, 
typically a business seeking to purchase goods or services 
that it needs, establishes a connection with an electronic 
marketplace, referred to hereinbelow as a market maker 24, via 

10 a network 26, such as the Internet. Typically, the market 
maker operates a Web site or portal, giving the buyer access 
to a range of sellers, such as a seller 28, who offer the type 
of items that the buyer needs. Such market makers commonly 
present a catalog or other listing of available items, 

15 consolidating the offerings of many sellers and giving the 
buyer a range of item types, prices and supply terms from 
which to choose. When the buyer orders an item from the 
catalog or specifies his buying preferences in some other 
acceptable manner, the market maker selects the appropriate 

20 seller and passes the buyer's order on to the seller for 
fulfillment. 

The functions of buyer 22, market maker 24 and seller 28 
are carried by computers linked to network 26, as shown in the 
figure. These computers are equipped with software for 

25 performing transactions automatically, with minimal user 
involvement other than updating the listing of available items 
at the seller's side and indicating the items desired at the 
buyer's. Software for these purposes is known in the art. In 
preferred embodiments of the present invention, as described 

30 hereinbelow, the computer software also provides for 
definition of machine-readable privacy preferences and 
automated negotiation of a flexible privacy policy .among the 
buyer, market maker and seller. Software for this purpose may 
be supplied to the computers in electronic form, over network 

35 26, for example, or it may alternatively be supplied on- 
tangible media, such as CD-ROM. 
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In describing methods for electronic commerce and privacy 
protection hereinbelow, for the sake of clarity, reference is 
made specifically to system 20 as a model for implementation 
of the present invention. It will be understood, however, 

5 that the present invention is not limited in any way to this 
specific application environment. Rather, the principles of 
the present invention may be applied in substantially any 
electronic commerce setting in which protection of privacy of 
information is desired. More generally, these principles can 

10 be brought to bear in other contexts for the control the 
exchange of sensitive information among computers 
communicating over electronic media, as a more efficient 
alternative to case-by-case confidential disclosure 
agreements . 

15 Fig. 2 is a flow chart that schematically illustrates a 

method for carrying out an electronic transaction between 
buyer 22 and seller 28 through market maker 24, in accordance 
with a preferred embodiment of the present invention. The 
buyer, seeking to purchase an item of goods or services of a 

20 particular type, logs into the market maker's Web site, at a 
log-in step 30. Before proceeding to browse the site for the 
desired item, the buyer is invited to negotiate and conclude 
an agreed-upon privacy policy with the market maker, at a 
buyer privacy negotiation step 32. A preferred implementation 

25 of this step is described in detail hereinbelow with reference 
to Fig. 3. If the buyer and market maker reach agreement on a 
privacy policy, at an agreement step 34, the buyer proceeds 
with the transaction. Otherwise, if the buyer has strong 
privacy preferences that cannot be satisfied by the criteria 

30 of the market maker's privacy policy, the buyer leaves the 
market maker's Web site, at a log-off step 36. Preferably, if 
the buyer has made purchases from this market maker in the 
past, so that a privacy policy was already mutually agreed on 
at a previous transaction and has not since been changed, 

35 steps 32 and 34 can be skipped. 

Once the privacy policy is concluded, the buyer browses 
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the market maker's listings of goods and services, referred to 
herein as the market maker's catalog, to find the desired 
item, at a browsing step 38. At this stage, the market maker 
receives information from the buyer that may be subject to the 
5 privacy policy negotiated at step 32 . Handling of this 
private information by the market maker is described 
hereinbelow with reference to Fig. 4. The market maker uses 
the information received from the buyer to find one or more 
sellers of the item that the buyer has requested, at a seller 

10 search step 40. Of course, the market maker must be able to 
use at least the portion of the buyer's private information 
that is necessary to identify the appropriate seller or 
sellers. It may also be necessary to pass sufficient 
information to the seller so that an updated price quote and 

15 delivery schedule can be obtained. Depending on the 

agreed-upon privacy policy, however, other portions of the 
buyer's private information may be hidden from the market 
maker, preferably by encryption, and may be withheld from the 
seller until the buyer has accepted the offer. 

20 When the seller of the desired item has been identified, 

the market maker must confirm that the seller undertakes to 
abide by the buyer's agreed privacy policy, at a seller 
privacy negotiation step 42. If the buyer has a privacy 
preferences that match the proposed policy listed by the 

25 seller, the market maker can proceed with the transaction. 
Otherwise, another automated negotiation must take place, 
typically matching the policy proposed by the seller against 
the alternative preferences listed by the buyer and by the 
market maker. If no agreement is reached, the market maker 

30 will not pass the buyer's private information on to the 
seller, and there will be no transaction concluded with this 
seller. The market maker may instead attempt to match or 
negotiate the buyer's agreed privacy policy with another 
seller offering the desired item. The possibility of losing 

35 business due to such failed privacy negotiations provides 
sellers with an incentive to define proposed policies that are 
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as flexible as possible. 

Once the privacy policy has been agreed upon with the 
seller, the market passes the buyer's order information on to 
the seller, at an order step 44. The seller processes the 
5 order, at a completion step 46, including charging the buyer 
for the item and shipping it to the buyer's address as 
appropriate. Details of a preferred implementation of these 
steps are described hereinbelow with reference to Fig. 5. If 
allowed by the agreed privacy policy, the seller and/or the 
10 market maker may process and use the information gleaned from 
the transaction for the purposes of business intelligence and 
follow-up. Upon completion of the transaction, the buyer logs 
• off. 

Fig. 3 is a flow chart that schematically illustrates a 

15 method for selecting or negotiating a privacy policy between 
buyer 22 and market maker 24, in accordance with a preferred 
embodiment of the present invention. Upon entering the market 
maker's Web site, the buyer is directed to a privacy handling 
page in the site, at a page direction step 50. Preferably, 

20 the market maker offers a number of alternative default 
policies among which the buyer can choose, at a policy 
browsing step 52. The policies define what elements of the 
buyer's private information will be submitted to the market 
maker, and what elements can be submitted by the market maker 

25 to possible sellers. The policies may also indicate at what 
stage certain elements of the inf ormation will be submitted to 
the market maker and/or to the seller, enabling a phased 
disclosure as the transaction proceeds, as noted above. In 
addition, the policies may specify the uses to which the 

30 market maker and/or seller may put the information they 
receive. 

An exemplary policy for use in the setting 
business-to-business (B2B) purchasing could be the following: 
• No buyer financial information to be passed to any parties 
35 other than the seller. 
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• No buyer contact information to be passed to any parties 
other than the seller. 

• Buyer contact information to be passed to the seller only 
after privacy policy has been agreed upon (at step 42, Fig. 

5 2) . 

• Business intelligence analysis may be performed by the 
market maker and used by the seller and seller's partners, but 
by no other parties. Various definitions of the seller's 
w partners" may be used in this context. . For example, a 

10 partner may be an entity that is identified as such by the 
seller and shares the seller's privacy policy or has a 
stricter policy. Alternatively or additionally, a partner may 
be an entity that meets certain criteria in the buyer's 
privacy preferences. (Of course, the buyer's privacy 

15 preferences may specify that no information is to be disclosed 
to any party other than the seller.) 

• The market maker and seller may not collect data on the 
buyer's procurement patterns.. 

• Final order details to be passed to the seller in encrypted 
20 form (typically using the seller's public key, as is known in 

the art) and hidden from the market maker and all others. 

This policy is listed by way of example, and alternative 
policies will be apparent to those skilled in the art. For 
example, the buyer might select a policy that allows certain 

25 contact or procurement information to be passed to other 
sellers, as well, in order to receive information regarding 
new products and price changes occurring in the market of 
interest. The market maker may also offer incentives to 
induce buyers to choose more permissive privacy policies. 

30 If the buyer finds an acceptable default policy, at a 

policy selection step 54, the buyer submits the choice to the 
market maker, at a policy submission step 56. The buyer can 
then browse the market maker's catalog or input details of the 
desired item for purchase, at a browsing initiation step 64. 

35 Alternatively, if none of the default policies offered by 
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the market maker meet the buyer's requirements, the buyer 
specifies his or her preferences, at a proposal step 58. 
Preferably, the buyer's preferences are expressed in a 
standard format or language, such as an extension of the P3P 

5 standard mentioned above. Most preferably, the format 
provides a listing of types or fields of information and 
possible recipients of the information, and allows the buyer 
to specify one of the following choices for each [field, 
recipient] pair: 

10 • Always disclose. 

• Never disclose. 

e Optionally disclose subject to one or more specified 
conditions . 

Preferably, the format provides for various types of 
15 conditions to be specified, and also allows the buyer to 
indicate that he or she is willing to forego a given optional 
preference as needed, if the market maker or a particular 
seller is unwilling to accept it. Examples of conditions that 
the buyer can specify include the following: 
20 • A certain phase of the transaction has been reached. 

• The seller fits certain criteria specified by the buyer, 
such as size, visibility, affiliation with industry groups, 
customer privacy protection record, etc. (It is assumed that 
data regarding these criteria are available to the 

25 marketplace.) 

• The seller appears on a list of names of companies with 
whom the buyer is or is not prepared to do business. 

The market maker evaluates the buyer's selected 
preferences, at a proposal evaluation step 60. If the 
30 preferences are compatible with general privacy policy 
guidelines maintained by the market maker, the market maker 
returns its acceptance of the proposal to the buyer, and the 
transaction continues from step 64. On the other hand, if 
there are points in the buyer's preferences that are not 
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acceptable to the market maker or are expected to be 
unacceptable to potential sellers, the market maker preferably 
prompts the buyer to renegotiate the privacy terms, at a 
renegotiation step 62. At this point, the buyer has the 
5 choice of modifying one or more of his or her preferences, or 
of logging off the site. 

Fig. 4 is a flow chart that schematically illustrates a 
method for handling information provided by buyer 22 in the 
course of browsing and making a transaction through market 

10 maker 24, in accordance with a preferred embodiment of the 
present invention. Once the buyer and market maker have 
agreed on the privacy policy to cover their interaction, the 
buyer inputs initial purchase information to the market maker, 
at an initial submission step 70. This inf ormation is 

15 necessary in order for the buyer to browse the market maker's 
on-line catalog, as well as for the market maker to locate the 
sellers offering goods or services that meet the buyer's 
requirements. If the agreed privacy policy allows, the market 
maker tracks the buyer's purchase needs and navigation in the 

20 market maker's Web site, at a tracking step 72. The market 
maker can then present the buyer with targeted advertising, 
help, discount coupons, etc., at a buyer assistance step 74, 
as is known in the art. On the other hand, the privacy policy 
choices offered by the market maker enable the buyer who does 

25 not wish to receive these sorts of assistance to opt out of 
them in advance. 

At a purchase information step 76, the buyer inputs to 
the market maker financial and delivery information necessary 
for completing the transaction with the buyer. In accordance 

30 with the privacy policy, the buyer may choose to provide this 
information only when a seller has been located offering the 
desired item with an acceptable price and terms. In any case, 
the market maker provides the information only to the seller 
with whom the transaction is to be made, unless the agreed 

35 privacy policy allows the market maker to give all or part of 
the information to other parties. Alternatively or 



WO 02/21789 PCT/EB01/01577 

- 19 - 

additionally, as noted above, the buyer may provide the 
purchase information in an encrypted form that can be 
decrypted only by the selected seller. Further alternatively 
or additionally, if the buyer has sufficient trust in the 
5 market maker, the purchase information can be provided by the 
buyer with the initial information submission, at step 70, in 
order to save time in concluding the transaction when the 
suitable seller is found. 

Fig. 5 is a flow chart that schematically illustrates a 

10 method for concluding the transaction between buyer 22 and 
seller 28, as well as for using the information provided by 
the buyer in the course of transaction, in accordance with a 
preferred embodiment of the present invention. Optionally, as 
noted above, the buyer's private information is conveyed to 

15 the seller in stages, at a staged submission step 80. .For 
example, the buyer may remain anonymous to the seller during 
the browsing stage, followed by disclosure of the buyer's name 
and address upon requesting a quote, with full disclosure of 
buyer details provided only after a purchase agreement is 

20 reached . 

Once the buyer has accepted the seller's offer, the 
seller receives the buyer's order information and decrypts any 
of the data that are encrypted, at a decryption step 82 . 
Based on the order information, the seller charges the buyer's 

25 credit card or other account and ships the goods to the buyer, 
at an order conclusion step 84. At an information re-use step 
86, both the market maker and the seller are required to 
determine whether the privacy policy agreed upon with the 
buyer allows either of them to make further use of the 

30 information provided in the course of the transaction. If the 
policy forbids re-use of the buyer's information, in whole or 
in part, the market maker and seller must purge their records 
of the forbidden information. Typical business practice, 
however, provides that at least some of the buyer information 

35 is to be stored, by the seller and/or the market maker, at a 
storage step 88. 
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In addition, if permitted by the privacy policy, the 
seller and/or market maker perform business intelligence 
analysis of the transaction, at an analysis step 90. As is 
known in the art, this analysis can provide useful information 
5 on the buyer's needs and preferences, enabling the seller and 
market maker to improve their service to the seller in the 
future and to offer the seller targeted advertising and 
promotions. In addition, in accordance with the privacy 
policy, the market maker and/or the seller may share elements 

10 of the information provided by the buyer and of the results of 
the business intelligence analysis with other parties, at a 
sharing step 92 . The privacy policy preferably specifies 
which portions of the information can be shared and with whom. 
It will be appreciated that the preferred embodiments 

15 described above are cited by way of example, and that the 
present invention is not limited to what has been particularly 
shown and described hereinabove. Rather, the scope of the 
present invention includes both combinations and 
subcombinations of the various features described hereinabove, 

20 as well as variations and modifications thereof which would 
occur to persons skilled in the art upon reading the foregoing 
description and which are not disclosed in the prior, art. 
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CLAIMS 

1. A. method for controlling an exchange of information 
between a first party and a second party, comprising: 

5 receiving from the first party a set of one or more 

privacy preferences, indicating restrictions to be placed on 
use of specified items of the information to be disclosed by 
the first party; 

receiving from the second party a description of a 

10 privacy policy, indicating undertakings by the second party 
with regard to restricting the use of the specified items of 
the information; 

assessing compatibility of the privacy preferences with 
the privacy policy; 

15 if the privacy preferences and the privacy policy are 

found to be incompatible, brokering a negotiation with at 
least one of the first and the second parties so as to bring 
the privacy preferences and the privacy policy into mutual 
compatibility; and 

20 ■ providing the information from the first party to the 

second party only when the privacy preferences and the privacy 
policy are found to be compatible. 

2. A method according to claim 1, wherein the restrictions 
25 indicated by the set of privacy preferences comprise 

restrictions on disclosure of the specified items of the 
information to third parties. 

3. A method according to claim 1, wherein the restrictions 
30 indicated by the set of privacy preferences comprise 

restrictions on analysis of the information. 
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4. A method according to claim 1, wherein the set of privacy 
preferences comprises a description of a condition subject to 
which the first party will permit one of the specified items 
to be used by the second party. 

5 

5. A method according to claim 1, wherein the first and 
second parties exchange the information via a computer 
network, and wherein receiving the privacy preferences and. the 
privacy policy comprises receiving the preferences and the 

10 policy via the network. 

6. A method according to claim 1, wherein the second party 
is one of a plurality of parties eligible to receive the 
information, and wherein assessing the compatibility of • the 

15 privacy preferences comprises selecting the second party from 
among the plurality of eligible parties responsive to the 
compatibility of the privacy preferences with the privacy 
policy of the second party. 

20 7 . A method according to claim 1, wherein providing the 
information comprises conducting a transaction between the 
first and second parties based on the information. 

8. A method according to claim 7, wherein the transaction is 
25 conducted in a sequence of stages, and wherein providing the 
information comprises providing different ones of the 
specified items at each of two or more different stages of the 
transaction, in a manner specified by the set of privacy 
preferences . 



30 
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9. A method according to claim 1, wherein providing the 

information comprises passing the information through an 

intermediary, which receives the privacy preferences and the 
privacy policy and brokers the negotiation if the privacy 

5 preferences and the privacy policy are found to be 
incompatible. 



10. A method according to claim 9, wherein the intermediary 
comprises an electronic marketplace, which is accessed by the 

10 first and second parties via a computer network. 

11. A method according to claim 9, wherein assessing the 
compatibility of the privacy preferences with the privacy 
policy comprises establishing an intermediary privacy policy, 

15 responsive to the privacy preferences, subject to which the 
first party is to communicate . with the intermediary, and 
assessing the compatibility of the intermediary privacy policy 
with the privacy policy of the second party. 

20 12. A method according to claim 11, wherein providing the 
information comprises conveying the information via the 
intermediary, wherein a portion of the information is provided 
in an encrypted form, in accordance with the privacy 
preferences, for decryption only by the second party and not 

25 by the intermediary. 

13. A method for electronic commerce, comprising: 

establishing a privacy policy restricting use of 

information to be revealed by a buyer to an electronic 
30 marketplace in connection with a transaction to be carried out 

by the buyer through the marketplace; 

subject to the privacy policy, receiving the information 

from the buyer, including a description of an item desired to 
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be procured for the buyer; 

locating a seller in communication with the marketplace 
offering the item; 

receiving from the seller an undertaking to restrict the 
5 use of the information in accordance with the privacy policy; 
and 

providing the information to the seller, subject to the 
undertaking, responsive to which information the seller 
conveys the item to the buyer. 

10 

14. A method according to claim 13, wherein establishing the 
privacy policy comprises receiving from the buyer a set of one 
or more privacy preferences with regard to specified items of 
the information to be provided by the buyer, and determining 

15 the privacy policy so as to accord with the received 
preferences . 

15. A method according to claim 14, wherein determining the 
privacy policy comprises assessing compatibility of the 

20 privacy preferences with policy guidelines of the marketplace 
and, if the privacy preferences and the policy guidelines are 
found to be incompatible, negotiating with the buyer so as to 
bring the privacy preferences into compatibility with the 
guidelines . 

25 

16. A method according to claim 14, wherein receiving the 
undertaking from the seller comprises receiving privacy 
proposals from multiple sellers in communication with the 
marketplace, and selecting at least one of the sellers whose 

30 privacy proposal accords with the buyer's privacy preferences. 

17. A method according to claim 13, wherein the transaction 
is carried out in a sequence of stages, and wherein providing 
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the information to the seller comprises disclosing different 
portions of the information at different stages of the 
transaction, in accordance with the privacy policy. 

5 18. A method according to claim 13, wherein receiving the 
information comprises receiving a portion of the information 
in an encrypted form inaccessible to the marketplace, in 
accordance with the privacy policy, and wherein providing the 
information to the seller comprises providing the encrypted 
10 portion of the information to the seller, who is enabled to 
decrypt the information. 

19. A method according to claim 13, wherein receiving the 
information comprises tracking and analyzing behavior of the 
15 buyer while the buyer is visiting the marketplace in order to 
derive purchase behavior data regarding the buyer, and 
comprising limiting use of the data in accordance with a 
restriction imposed by the privacy policy. 

20 20. Apparatus for controlling an exchange of information 
between a first party and a second party, comprising an 
information exchange server to receive from the first party a 
set of one or more privacy preferences indicating restrictions 
to be placed on use of specified items of the information to 

25 be disclosed by the first party, to receive from the second 
party a description of a privacy policy, indicating 
undertakings by the second party with regard to restricting 
the use of the specified items of the information, and to 
assess compatibility of the privacy preferences with the 

30 privacy policy, such that if the privacy preferences and the 
privacy policy are found to be incompatible, the server 
brokers a negotiation with at least one of the first and the 
second parties so as to bring the privacy preferences and the 
privacy policy into mutual compatibility, and conveys the 
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information from the first party to the second party only when 
the privacy preferences and the privacy policy are found to be 
compatible. 

21. Apparatus for maintaining an electronic marketplace, 
comprising an electronic commerce server to establish a 
privacy policy restricting use of information to be revealed 
by a buyer to the server in connection with a transaction to 
be carried out by the buyer through the server and, subject to 
the privacy policy, to receive the information from the buyer, 
including a description of an item desired to be procured for 
the buyer, to locate a seller in communication with the 
marketplace offering the item, to receive from the seller an 
undertaking to restrict the use of the information in 
accordance with the privacy policy, and to provide the 
information to the seller, subject to the undertaking, 
responsive to which information the seller conveys the item to 
the buyer. 

20 22. A system for controlling an exchange of information, 
comprising: 

a first computer, provided with a set of one or more 
privacy preferences, indicating restrictions to be placed on 
use of specified items of the information to be disclosed by 
25 the first party; 

a second computer, provided with a description of a 
privacy policy, indicating undertakings by the second party 
with regard to restricting the use of the specified items of 
the information; and 
30 an information exchange server, coupled to communicate 

with the first and second computers via a computer network, 
and to assess compatibility of the privacy preferences with 
the privacy policy, such that if the privacy preferences and 
, the privacy policy are found to be incompatible, the server 
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brokers a negotiation with at least one of the first and the 
second parties so as to bring the privacy preferences and the 
privacy policy into mutual compatibility, and further arranged 
to provide the information from the first party to the second 
5 party only when the privacy preferences and the privacy policy 
are found to be compatible. 

23 . A computer software product for controlling an exchange 
of information between a first party and a second party, the 

10 product comprising a computer-readable medium in which program 
instructions are stored, which instructions, when read by a 
computer, cause the computer to receive from the first party a 
set of one or more privacy preferences, indicating 
restrictions to be placed on use of specified items of the. 

15 information to be disclosed by the first party, and to receive 
from the second party a description of a privacy policy, 
indicating undertakings by the second party with regard to 
restricting the use of the specified items of the inf ormation, • 
and to assess compatibility of the privacy preferences with 

20 the privacy policy, and if the privacy preferences and the 
privacy policy are found to be incompatible, to broker a 
negotiation with at least one of the first and the second 
parties so as to bring the privacy preferences and the privacy 
policy into mutual compatibility, and to provide the 

25 information from the first party to the second party only when 
the privacy preferences and the privacy policy are found to be 
compatible. 

24. A computer software product for electronic commerce, the 
30 product comprising a computer-readable medium in which program 

instructions are stored, which instructions, when read by a 
computer, cause the computer to establish a privacy policy 
restricting use of information to be revealed by a buyer to an 
electronic marketplace in connection with a transaction to be 
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carried out by the buyer through the marketplace, and subject 
to the privacy policy, to receive the information from the 
buyer, including a description of an item desired to be 
procured from the buyer, and to locate a seller in 
5 communication with the marketplace offering the item, and to 
receive from the seller an undertaking to restrict the use of 
the information in accordance with the privacy policy, and to 
provide the information to the seller, subject to the 
undertaking, responsive to which information the seller 
10 conveys the item to the buyer. 
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